Helpful ReplyHot!Why SNAT is applied ?

Author
fl0at0xff
Bronze Member
  • Total Posts : 38
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/08/23 00:13:56
  • Status: offline
2018/09/13 02:35:45 (permalink)
0

Why SNAT is applied ?

Hello

I have a VIP for the server SCMAAS01 (10.128.0.30) where external IP is 10.146.136.30 and internal is 10.128.0.30. This VIP is just used in a policy (id 49) from an IPsec tunnel. (VPN_2_ETA) to internal interface (SERVER) for all protocols.

For the other direction, I use an IP_POOL named NAT_SCMAAS01 where external IP range is 10.146.136.30-10.146.136.30 of type One-to-One. This object is only used in the policy (id 48) to internal interface (SERVER) from an IPsec tunnel. (VPN_2_ETA) for all protocols.

Now, this server (10.128.0.30) is unable to go to internet. a policy exist to allow the trafic but I saw in the log that SNAT is applied too... In the policy (id 50) to allow this server to go to internet, NAT is configured of course but we don't use the NAT_POOL but the outgoing interface (195.141.249.225).

Below the log.

SCMAFW01 # 2018-09-13 11:33:22 id=20085 trace_id=1503 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=6, 10.128.0.30:61013->8.8.8.8:53) from SERVERS. flag [S], seq 4119206949, ack 0, win 8192"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=init_ip_session_common line=5451 msg="allocate a new session-005aed6c"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-195.141.249.17 via wan1"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=fw_forward_handler line=743 msg="Allowed by Policy-50: SNAT"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=__ip_session_run_tuple line=3190 msg="SNAT 10.128.0.30->10.146.136.30:61013"


Can you help me please ?
#1
Ashu
Gold Member
  • Total Posts : 122
  • Scores: 10
  • Reward points: 0
  • Joined: 2015/04/17 04:33:45
  • Location: Muscat,Oman
  • Status: offline
Re: Why SNAT is applied ? 2018/09/13 04:10:35 (permalink)
0
Hi ,
 
Can u traceroute to internet (8.8.8.8) from the  server and check , may be you have configured policy based route for server .
 
Regds,
 
Ashik
#2
fl0at0xff
Bronze Member
  • Total Posts : 38
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/08/23 00:13:56
  • Status: offline
Re: Why SNAT is applied ? 2018/09/13 04:34:18 (permalink)
0
Hello @ashik,
 
no I haven't PBR on this firewall.
 
 
PS C:\Users\Administrator> TRACERT.EXE 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1 <1 ms <1 ms <1 ms 10.128.0.1
  2 * * * Request timed out.
  3 * * * Request timed out.

 
10.128.0.1 is the gateway on the fortigate for this server.
#3
Ashu
Gold Member
  • Total Posts : 122
  • Scores: 10
  • Reward points: 0
  • Joined: 2015/04/17 04:33:45
  • Location: Muscat,Oman
  • Status: offline
Re: Why SNAT is applied ? 2018/09/13 05:24:15 (permalink)
0
Looks like you have issues in static route or may policy .
 
Regds,
 
Ashik
#4
fl0at0xff
Bronze Member
  • Total Posts : 38
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/08/23 00:13:56
  • Status: offline
Re: Why SNAT is applied ? 2018/09/13 05:30:46 (permalink)
0
no... I have dozen of other servers in the same vlan and all is working fine. This server has a problem because it is the only one that have VIP and specific NAT on it.
#5
rdumitrescu
Bronze Member
  • Total Posts : 28
  • Scores: 9
  • Reward points: 0
  • Joined: 2014/12/02 08:06:13
  • Status: offline
Re: Why SNAT is applied ? 2018/09/13 05:37:36 (permalink)
0
Have you configured the VIP using external interface as “any” ?
#6
fl0at0xff
Bronze Member
  • Total Posts : 38
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/08/23 00:13:56
  • Status: offline
Re: Why SNAT is applied ? 2018/09/13 05:49:41 (permalink)
0
yes and I guess I found my problem: When using vip without Port Forwarding enabled, the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.
 
I need to specify port-forwarding first and probably the interface or the sources IP
#7
rdumitrescu
Bronze Member
  • Total Posts : 28
  • Scores: 9
  • Reward points: 0
  • Joined: 2014/12/02 08:06:13
  • Status: offline
Re: Why SNAT is applied ? 2018/09/13 06:10:37 (permalink) ☄ Helpfulby fl0at0xff 2018/09/13 07:54:00
4 (1)
If you configure a specific external interface and not just “any” you shouldn't have any problem
#8
Ashu
Gold Member
  • Total Posts : 122
  • Scores: 10
  • Reward points: 0
  • Joined: 2015/04/17 04:33:45
  • Location: Muscat,Oman
  • Status: offline
Re: Why SNAT is applied ? 2018/09/13 07:11:29 (permalink)
0
VIP Setting is mainly applied for incoming traffic to server not to out going , so it shouldn't be a problem i believe .
 
Just check policy or routing .Or you might have any persistence route in the server , check using route print .
 
Regds,
 
Ashik
#9
Jump to:
© 2018 APG vNext Commercial Version 5.5